At MachineMetrics, we take the security of your data very seriously. This article outlines the security measures for our hardware, software, data transmission, and cloud infrastructure.
Topics covered in this article:
- Edge Device
- Edge Device Software
- Authentication Service
- Machine Communication Service
- Data Collection Service
- Configuration Service
The edge device is a small, networked, industrial computer running a limited Linux Operating System (OS) and the MachineMetrics software. We use container technology to isolate services such as authentication, data collection, and machine communication. Edge devices can collect and transmit data in many different ways depending on the installation environment and connected machines. We provision, configure, and install each device according to the intended operating environment and with security in mind. There are no user accounts or facilities for interactive logins. To prevent unauthorized changes to software configuration as well as prohibit the ability to reboot the system with an external drive, external boot options are disabled in the Basic Input Output System (BIOS).
Each device is provisioned with unique keys and network configuration so it can register and be authenticated and authorized to the MachineMetrics servers. The access keys provide the software that connects to MachineMetrics with the minimal level of access that is necessary. All communication is encrypted. The keys can be refreshed or revoked by MachineMetrics.
Edge Device Software
Each edge device runs a collection of services written by MachineMetrics to fulfill needs such as authentication, data collection, and communicating with machines. Each service runs in a separate Docker container, which isolates it from other services and from the main operating system.
The device only makes outgoing network connections and normally does not provide any network services. As a pure client communicating with a fixed set of configured hosts, the edge device does not present a network attack surface. Because it does not run any services, it is not possible to initiate a network connection to it.
- All communication to MachineMetrics is initiated as an outbound HTTPS connection over port 443.
- All communication to MachineMetrics is encrypted via HTTPS.
- Services use a combination of web requests and persistent web sockets.
- Services are authenticated to MachineMetrics with a unique API Key that was generated during provisioning.
- API Keys can be remotely revoked or refreshed by MachineMetrics.
- API Keys grant the minimum amount of access to the MachineMetrics servers needed to fulfill gateway service roles.
The edge device authentication service manages the MachineMetrics API key and metadata.
Machine Communication Service
The communication service runs a supervisor process that manages all machines associated with the edge device. For machines that are not configured as MTConnect-native machines, the supervisor will configure and launch a dedicated adapter process that knows how to connect with a given machine type and gather data.
Each adapter process runs a server that accepts inbound connections from other containers within the device on a port designated by the supervisor, emitting a stream of data conforming to the MTConnect Adapter Agent Protocol. Each adapter process will also make outbound connections onto the local network to connect to a specific machine, server, or device specified in the machine configuration in MachineMetrics.
Data Collection Service
The data collection service connects to servers on the local network that implement the MTConnect Adapter Agent Protocol. These servers are either adapters managed by the machine communication service and thus located on the edge device itself or are an MTConnect-native device such as a machine. In all cases, the data service only makes connections to devices that have been configured in the MachineMetrics system.
During installation, any digital IO devices used for machine data collection are connected in read-only mode.
For diagnostic feedback, the data service will ping machines on the network that it knows about in order to report whether or not they are turned on.
The data service collects and aggregates machine data, and then sends it to the MachineMetrics cloud over a pre-established HTTPS web socket.
The configuration service allows an edge device's network settings to be configured from the MachineMetrics edge device configuration mobile app. This service advertises itself as a Bluetooth BLE service to an authenticated mobile app user, and communication between the app and service is performed over Bluetooth.
MachineMetrics Cloud Infrastructure
The MachineMetrics computing infrastructure is hosted on Amazon Web Systems (AWS) in a Virtual Private Cloud (VPC). This means:
- Resources are compartmentalized into public and private areas and access to resources is credential controlled and limited to the least privilege necessary.
- User access to the website is authenticated directly with login credentials or google.com OAuth.
- API access to the backend is controlled by short-lived authentication tokens.
- Any stored passwords are hashed and never stored in cleartext.
- User accounts are role-based and each user is assigned a minimally necessary role.
- Access to data is role-based.
MachineMetrics fleet management system is used for device management, monitoring, and updates.
The edge device establishes a VPN connection over which it receives software and configuration updates. As a secondary, backup method, the device also connects periodically over HTTPS to check for updates. The VPN connection is available to a limited set of MachineMetrics employees who access it to maintain, configure, and troubleshoot edge devices. Access to the VPN is limited to a limited number of users and is protected by a multi-factor authentication method.
If you have any further questions or concerns regarding MachineMetrics security, please reach out to us at firstname.lastname@example.org.